<p>This rule is deprecated, and will eventually be removed.</p>
<h2>Why is this an issue?</h2>
<p><code>CoSetProxyBlanket</code> and <code>CoInitializeSecurity</code> both work to set the permissions context in which the process invoked
immediately after is executed. Calling them from within that process is useless because it’s too late at that point; the permissions context has
already been set.</p>
<p>Specifically, these methods are meant to be called from non-managed code such as a C++ wrapper that then invokes the managed, i.e. C# or VB.NET,
code.</p>
<h3>Noncompliant code example</h3>
<pre>
Public Class Noncompliant

    &lt;DllImport("ole32.dll")&gt;
    Public Shared Function CoSetProxyBlanket(&lt;MarshalAs(UnmanagedType.IUnknown)&gt;pProxy As Object, dwAuthnSvc as UInt32, dwAuthzSvc As UInt32, &lt;MarshalAs(UnmanagedType.LPWStr)&gt; pServerPrincName As String, dwAuthnLevel As UInt32, dwImpLevel As UInt32, pAuthInfo As IntPtr, dwCapabilities As UInt32) As Integer
    End Function

    Public Enum RpcAuthnLevel
        [Default] = 0
        None = 1
        Connect = 2
        [Call] = 3
        Pkt = 4
        PktIntegrity = 5
        PktPrivacy = 6
    End Enum

    Public Enum RpcImpLevel
        [Default] = 0
        Anonymous = 1
        Identify = 2
        Impersonate = 3
        [Delegate] = 4
    End Enum

    Public Enum EoAuthnCap
        None = &amp;H00
        MutualAuth = &amp;H01
        StaticCloaking = &amp;H20
        DynamicCloaking = &amp;H40
        AnyAuthority = &amp;H80
        MakeFullSIC = &amp;H100
        [Default] = &amp;H800
        SecureRefs = &amp;H02
        AccessControl = &amp;H04
        AppID = &amp;H08
        Dynamic = &amp;H10
        RequireFullSIC = &amp;H200
        AutoImpersonate = &amp;H400
        NoCustomMarshal = &amp;H2000
        DisableAAA = &amp;H1000
    End Enum

    &lt;DllImport("ole32.dll")&gt;
    Public Shared Function CoInitializeSecurity(pVoid As IntPtr, cAuthSvc As Integer, asAuthSvc As IntPtr, pReserved1 As IntPtr, level As RpcAuthnLevel, impers As RpcImpLevel, pAuthList As IntPtr, dwCapabilities As EoAuthnCap, pReserved3 As IntPtr) As Integer
    End Function

    Public Sub DoSomething()
        Dim Hres1 As Integer = CoSetProxyBlanket(Nothing, 0, 0, Nothing, 0, 0, IntPtr.Zero, 0) ' Noncompliant
        Dim Hres2 As Integer = CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, RpcAuthnLevel.None, RpcImpLevel.Impersonate, IntPtr.Zero, EoAuthnCap.None, IntPtr.Zero) ' Noncompliant
    End Sub

End Class
</pre>
<h2>Resources</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/648">CWE-648 - Incorrect Use of Privileged APIs</a> </li>
</ul>

